MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9c607f263a990db1bf0465c8688ed7ce7e5f294845041fb56af313df34f45df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	e9c607f263a990db1bf0465c8688ed7ce7e5f294845041fb56af313df34f45df
SHA3-384 hash:	d3f2cd6a77abceaeb46b937940298305988ab4259d3e5fd5fc07a47ab726a94a98abee30c7793da4e642631aea600e26
SHA1 hash:	43438e798b9affd9fcb871dfb8c31f42b06f5b4c
MD5 hash:	67deca381bb44b96fa13bead0adc1a6b
humanhash:	hawaii-jupiter-artist-stairway
File name:	svchost.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	266'240 bytes
First seen:	2020-04-11 11:49:24 UTC
Last seen:	2020-04-11 12:44:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:8+XMx2G+FJWeNMcmiz9NL+BV4eGLq+mntspb9oQsoNSDNfmzR:L62xFJWe/miz9Z+BV4PW+ueQ
Threatray	298 similar samples on MalwareBazaar
TLSH	DC445C242AFB5119F073EFB64AE87596CA6EFB333606D45D1092038A4B23B41ED9153F
Reporter	abuse_ch
Tags:	AsyncRAT COVID-19 exe RAT

abuse_ch

COVID-19 themed malspam distributing AsyncRAT:

HELO: mailcan.primotedesco.com.br
Sending IP: 200.183.172.2
From: Charles Taylor <ct2844@naver.com> (Remote Personal Assistant needed)
Subject: Requesting for a Remote Assistant due to Covid-19
Attachment: Payment-Delayed.xls
Attachment: Payment-Delayed.doc

AsyncRAT payload URL:
https://www.chipmarkets.com//vendor/phpunit/phpunit/src/Util/PHP/admin/svchost.exe

AsyncRAT C2:
babyboyhammer2.duckdns.org:7707 (176.31.26.213)

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/912/

Detection(s):

SecuriteInfo.com.MSIL.GenKryptik.EIFI.15663.UNOFFICIAL

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/343758

Behaviour

Behavior Graph:

n/a

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Agensla

Status:

Malicious

First seen:

2020-04-11 11:40:31 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5hdap4tdvginwg7qizoinchnptt6l4uuqried62wv4yt342pixpq._file

Verdict:

malicious

Label(s):

asyncrat

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

xls 6fc9877b40e3210f9b941f3e2fce3a6384b113b189171cdf8416fe8ea188b719

AsyncRAT

exe e9c607f263a990db1bf0465c8688ed7ce7e5f294845041fb56af313df34f45df

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/338320/

Dropped by

MD5 df4727d4e4a09093db57e2d6bc5985cd

Dropped by

SHA256 6fc9877b40e3210f9b941f3e2fce3a6384b113b189171cdf8416fe8ea188b719

Dropped by

MD5 7b2bc2d27c4606687afe2ae939bc1a4d

Dropped by

SHA256 b398c602a2c9bab7ad128bcd189f83106244670cdf6b99782e59ed9d5435cef6

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/912/

Cape

https://www.capesandbox.com/analysis/911/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample